Configure Upstream Proxy Authentication in a Proxy Chain Deployment on a ProxySG or ASG Appliance

book

Article ID: 169255

calendar_today

Updated On:

Products

Advanced Secure Gateway Software - ASG ProxySG Software - SGOS

Issue/Introduction

Consider a parent/child (downstream/upstream) proxy chaining deployment where authentication is configured on the parent proxy and not on the child proxy, but authentication fails and users can't be viewed in the Authenticated user list at https://<proxy-ip>:8082/Auth/User-Logins/Summary/Realm/

This article uses explicit proxy to demonstrate the configuration.

Refer to the following article to learn about authentication flow in explicit and transparent modes on a ProxySG appliance.
Prevent NTLM credentials from being forwarded to a malicious OCS

Cause

The downstream proxy does not pass the HTTP 407 challenges from upstream back to the client. This is proxy's default behavior and a security measure to prevent the client credentials being forwarded to a malicious OCS (Origin Content Server); however, in a chaining proxy deployment, the upstream is a legitimate proxy server.

Resolution

On the downstream proxy, permit 407 challenges by executing the below command in Command Line Interface (CLI).

#(config) http allow-upstream-407
Allow upstream 407 challenges.
 
To revert this change, use this command: 
#(config) http no allow-upstream-407

In addition, the downstream proxy may also strip off the authorization header when the credentials are forwarded to upstream as shown in the following packet captures. This is also due to the default action of proxy by choosing not to forward the credentials to avoid leaking them to a third-party OCS.

Child proxy PCAP:

User-added image

Parent proxy PCAP: The proxy-authorization header is not present in the http GET request received on the upstream proxy.

User-added image

In order to forward the credentials upstream, the below Content Policy Language (CPL) script can be added to the Local Policy File on the downstream ProxySG. This example enforces the action only for the domain www.example.com

<proxy>
url.domain=www.example.com authenticate(no, upstream_authentication)

Attachments